Public-key encryption in a multi-user setting: Security proofs and improvements (original) (raw)
Related papers
On the security of public key cryptosystems with a double decryption mechanism
Information Processing Letters, 2008
In public key encryption schemes with a double decryption mechanism (DD-PKE), decryption can be done in either of two ways: by the user owning the secret/public key pair corresponding to the ciphertext, or by a trusted party holding a sort of master secret-key. In this note we argue that the classical security notion for standard public key encryption schemes does not suffice for DD-PKE schemes, and propose a new natural definition. Additionally, we illustrate the usefulness of the new security definition by showing that a DD-PKE scheme presented in the workshop Selected Areas in Cryptography 2005 is insecure under this augmented security notion.
A New Security Definition for Public Key Encryption Schemes and Its Applications
The strongest security definition for public key encryption (PKE) schemes is indistinguishability against adaptive chosen ciphertext attacks (IND-CCA). A practical IND-CCA secure PKE scheme in the standard model is well-known to be difficult to construct given the fact that there are only a few such kind of PKE schemes available. From another perspective, we observe that for a large class of PKE-based applications, although IND-CCA security is sufficient, it is not a necessary requirement. Examples are Key Encapsulation Mechanism (KEM), MT-authenticator, providing pseudorandomness with a-priori information, and so on. This observation leads us to propose a slightly weaker version of IND-CCA, which requires ciphertexts of two randomly selected messages are indistinguishable under chosen ciphertext attacks. Under this new security notion, we show that highly efficient schemes proven secure in the standard model can be built in a straightforward way. We also demonstrate that such a security definition is already sufficient for the applications above.
On the Security Notions for Public-Key Encryption Schemes
2004
In this paper, we revisit the security notions for public-key encryption, and namely indistinguishability. We indeed achieve the surprising result that no decryption query before receiving the challenge ciphertext can be replaced by queries (whatever the number is) after having received the challenge, and vice-versa. This remark leads to a stricter and more complex hierarchy for security notions in the public-key setting: the (i, j)-IND level, in which an adversary can ask at most i (j resp.) queries before (after resp.) receiving the challenge. Excepted the trivial implications, all the other relations are strict gaps, with no polynomial reduction (under the assumption that IND-CCA2 secure encryption schemes exist.) Similarly, we define different levels for non-malleability (denoted (i, j)-NM.)
New security notions and relations for public-key encryption
Journal of Mathematical Cryptology, 2012
Since their introduction, the notions of indistinguishability and non-malleability have been changed and extended by different authors to support different goals. In this paper, we propose new flavors of these notions, investigate their relative strengths with respect to previous notions, and provide the full picture of relationships (i.e., implications and separations) among the security notions for public-key encryption schemes. We take into account the two general security goals of indistinguishability and non-malleability, each in the message space, key space, and hybrid message-key space to find six specific goals, a couple of them, namely complete indistinguishability and key non-malleability, are new. Then for each pair of goals, coming from the indistinguishability or non-malleability classes, we prove either an implication or a separation, completing the full picture of relationships among all these security notions. The implications and separations are respectively supported by formal proofs (i.e., reductions) in the concrete-security framework and by counterexamples.
Generalized public-key cryptography with tight security
Information Sciences, 2019
Tightly secure public-key cryptographic schemes enjoy the advantage that the selection of the security parameter can be optimal to achieve a certain security level. Security models in the multiuser setting with corruptions (MU-C) consider more realistic threats in practice. Many efforts have been devoted to constructing tightly MU-C secure schemes. To date, we have many concrete constructions. Nevertheless, the study on how to generally achieve tight security in public-key cryptography remains lacking. In this paper, we take an insight into the key generations in public-key cryptography. We first generalize the key generation algorithms of traditional schemes and discuss the requirements of achieving tight security. We notice that for some schemes (e.g. key-unique schemes), these requirements inherently cannot be satisfied and hence these schemes cannot achieve tight security. This is in accordance with the impossibility results of tight reductions by Bader et al. (EUROCRYPT 2016). To further study possible constructions, we extend the key generations of public-key cryptographic schemes to obtain a different framework. To demonstrate its applications, we illustrate how to construct tightly secure key-unique schemes under the extended framework. This circumvents the impossibility results of tight security for key-unique schemes.
On Constructions and Security Notions of Public-key Cryptosystems
Book Chapter, Contemporary Topics in Mathematics and Statistics with Applications, Volume-I, Asian Books Pvt Ltd., 2012
From its inception, public-key cryptosystems have been an area of active research. Various aspects of public-key encryption like constructions, security notions, adversarial models, hardness assumptions, proof-methodology, efficiency, compatibility etc. have been analysed and re-analysed in the last three and half decades by numerous cryptographers. Some of them are good enough to survive while some of them, though broken, provides meaningful insights towards the subject. In this article, our aim is to provide an expository as well as technical (as far as possible, keeping in mind its brevity) overview of the subject as it has progressed over the years, along with some open problems and suitable references.
A new public-key cryptosystem as secure as factoring
Lecture Notes in Computer Science, 1998
This paper proposes a novel public-key cryptosystem, which is practical, provably secure and has some other interesting properties as follows: 1. Its trapdoor technique is essentially different from any other previous schemes including RSA-Rabin and Diffie-Hellman. 2. It is a probabilistic encryption scheme. 3. It can be proven to be as secure as the intractability of factoring n = p2q (in the sense of the security of the whole plaintext) against passive adversaries. 4. It is semantically secure under the p-subgroup assumption, which is comparable to the quadratic residue and higher degree residue assumptions. 5. Under the most practical environment, the encryption and decryption speeds of our scheme are comparable to (around twice slower than) those of elliptic curve cryptosystems. 6. It has a homomorphic property: E(mo, r0)E(ml, rl) mod n = E(mo+ ml, r2), where E(m, r) means a ciphertext of plaintext m as randomized by r and m0 § ml < p. 7. Anyone can change a ciphertext, C-E(m,r), into another ciphertext, C ~ = Ch "1 mod n, while preserving plaintext of C (i.e.,
2009
Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO) solved the long-standing open problem of “circular encryption,” by presenting a public key encryption scheme and proving that it is semantically secure against key dependent chosen plaintext attack (KDM-CPA security) under standard assumptions (and without resorting to random oracles). However, they left as an open problem that of designing an encryption scheme that simultaneously provides security against both key dependent chosen plaintext and adaptive chosen ciphertext attack (KDM-CCA2 security). In this paper, we solve this problem. First, we show that by applying the Naor-Yung “double encryption” paradigm, one can combine any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme, along with an appropriate non-interactive zero-knowledge proof, to obtain a KDM-CCA2 secure scheme. Second, we give a concrete instantiation that makes use the above KDM-CPA secure scheme of BHHO, along with a generalization of the Cramer-Shoup CCA2 secure encryption scheme, and recently developed pairing-based NIZK proof systems. This instantiation increases the complexity of the BHHO scheme by just a small constant factor.
Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries
Lecture Notes in Computer Science, 1999
This paper proposes two new public-key cryptosystems semantically secure against adaptive chosen-ciphertext attacks. Inspired from a recently discovered trapdoor technique based on composite-degree residues, our converted encryption schemes are proven, in the random oracle model, secure against active adversaries (NM-CCA2) under the assumptions that the Decision Composite Residuosity and Decision Partial Discrete Logarithms problems are intractable. We make use of specific techniques that differ from Bellare-Rogaway or Fujisaki-Okamoto conversion methods. Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP.
On the Necessity of Strong Assumptions for the Security of a Class of Asymmetric Encryption Schemes
2002
Recently various public key encryption schemes such as DHIES by Abdalla, Bellare and Rogaway and REACT by Okamoto and Pointcheval, whose security against adaptive chosen ciphertext attack (CCA) is based on the Gap problems, have been proposed. Although the Gap problems were proved to be a sufficient assumption for those schemes to be secure against adaptive chosen-cipertext attack, a necessary condition for CCA security of those schemes has not been explicitly discussed. In this paper we clarify the necessary condition for CCA security of those schemes. Namely we prove (in the random oracle model) that the Gap Diffie-Hellman is not only sufficient, but also a necessary assumption for the CCA security of DHIES and Diffie-Hellman version of REACT. We also show that our result applies to a wider class of public key encryption schemes. Furthermore we show that our result implies the equivalence, in the random oracle model, between ‘Strong Diffie-Hellman’ and ‘Oracle Diffie-Hellman’ assumptions proposed by Abdalla, Bellare and Rogaway. Our results may be used as criteria for distinguishing public key encryption schemes whose CCA security is based on strong assumptions (such as Gap Diffie-Hellman) from those schemes based on weaker ones (such as Computational Diffie-Hellman).